Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Saranya_0305
Collaborator

Identity Awareness – Using Access Roles as Source in Internet Access Rules

Dear Mates,

I am currently working on an Identity Awareness Blade lab.

I have successfully integrated Microsoft Active Directory (Browser-Based Authentication) with a Check Point standalone deployment.

However, I have a few questions:

Is it possible to create access rules based on users (Access Roles) as the Source for allowing Internet access and specific services, instead of allowing access for the entire network?
I have enabled Hide NAT for the entire network using the Network Object.
Do I need to create an access rule with the Network Object as the source first, or can I use only the Access Role as the source in the rule?
My expectation was that using the Access Role alone would be sufficient, but it does not seem to work.
During my testing, I noticed that when I specify the Network Object as the source, that rule is matched and takes priority. However, when I use only the Access Role, the traffic does not match the rule.
I am using a Unified Policy Package with the Application Control and URL Filtering blades enabled.

Could you please suggest the best practice for configuring Identity Awareness policies in this scenario?

Specifically:

Should Access Roles be used alone as the source, or should they be combined with network objects?
Are there any prerequisites or common configuration issues that could prevent Access Role-based rules from matching?

 

Regards,

Saranya

0 Kudos
1 Reply
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP

You can use the Access Role directly in the rule, there's no need to also use the network object. If it's not matching then your gateway probably doesn't have the identities collected. Users will have to do the browser based authentication before the access role will work. If you're expecting a redirect to occur make sure you have that set in the Action part of the rule they will match, and you'll probably need HTTPS Inspection inspecting the connection else we can't redirect it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events